Quoting "George A. Theall" <[EMAIL PROTECTED]>: > On 10/08/07 18:01, Xueshan Feng wrote: > >> My scanner was flagged red by this plugin, although the openssl package >> on the system is up-to-date - stable etch, version 0.9.8c-4etch1. > > Are you sure you're looking at the correct plugin? 26029 corresponds to > DSA-1368-1, which is for a buffer overflow in librpcsecgss.
This is what reported by Nessus for my machine: Vulnerability general/tcp An off-by-one error has been identified in the SSL_get_shared_ciphers() routine in the libssl library from OpenSSL, an implementation of Secure Socket Layer cryptographic libraries and utilities. This error could allow an attacker to crash an application making use of OpenSSL's libssl library, or potentially execute arbitrary code in the security context of the user running such an application. For the old stable distribution (sarge), this problem has been fixed in version 0.9.7e-3sarge5. For the stable distribution (etch), this problem has been fixed in version 0.9.8c-4etch1. For the unstable and testing distributions (sid and lenny, respectively), this problem has been fixed in version 0.9.8e-9. We recommend that you upgrade your openssl packages. Solution : http://www.debian.org/security/2007/dsa-1379 Risk factor : High The package openssl is vulnerable in Debian 4.0. Upgrade to openssl_0.9.8e-9 CVE : CVE-2007-5135 Other references : DSA:1379 Nessus ID : 26209 Informational general/tcp And this is the opensslpackage installed on my machine (run aptitude show openssl): ackage: openssl State: installed Automatically installed: yes Version: 0.9.8c-4etch1 Priority: optional Section: utils Maintainer: Debian OpenSSL Team <[EMAIL PROTECTED]> Uncompressed Size: 2273k Depends: libc6 (>= 2.3.6-6), libssl0.9.8 (>= 0.9.8c-1), zlib1g (>= 1:1.2.1) Suggests: ca-certificates Conflicts: ssleay (< 0.9.2b) Description: Secure Socket Layer (SSL) binary and related cryptographic tools This package contains the openssl binary and related tools. > > > George > -- > [EMAIL PROTECTED] > _______________________________________________ > Nessus mailing list > [email protected] > http://mail.nessus.org/mailman/listinfo/nessus > _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
